fi-ts
diff --git a/‎.github/workflows/pull_request.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/pull_request.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎Dockerfile
Lines changed: 2 additions & 2 deletions b/‎Dockerfile
Lines changed: 2 additions & 2 deletions
diff --git a/‎Makefile
Lines changed: 6 additions & 3 deletions b/‎Makefile
Lines changed: 6 additions & 3 deletions
diff --git a/‎api/v1/postgres_types.go
Lines changed: 12 additions & 20 deletions b/‎api/v1/postgres_types.go
Lines changed: 12 additions & 20 deletions
diff --git a/‎controllers/postgres_controller.go
Lines changed: 19 additions & 18 deletions b/‎controllers/postgres_controller.go
Lines changed: 19 additions & 18 deletions
diff --git a/‎controllers/postgres_controller_test.go
Lines changed: 1 addition & 1 deletion b/‎controllers/postgres_controller_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎controllers/suite_test.go
Lines changed: 1 addition & 1 deletion b/‎controllers/suite_test.go
Lines changed: 1 addition & 1 deletion
@@ -12,15 +12,15 @@ jobs:
       docker_registry_token: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Ensure Go Version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version-file: 'go.mod'
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v4
+      uses: golangci/golangci-lint-action@v6
       with:
         args: -p bugs -p unused --timeout=5m
 
 
@@ -1,4 +1,4 @@
-ARG baseImage="golang:1.22"
+ARG baseImage="golang:1.24"
 # Build the manager binary
 FROM ${baseImage} as builder
 
@@ -18,7 +18,7 @@ RUN make
 
 # Start obj-cache
 # https://medium.com/windmill-engineering/tips-tricks-for-making-your-golang-container-builds-10x-faster-4cc618a43827
-FROM golang:1.22 as obj-cache
+FROM golang:1.24 as obj-cache
 COPY --from=builder /root/.cache /root/.cache
 
 # Use distroless as minimal base image to package the manager binary
 
@@ -19,7 +19,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 # Postgres operator variables for YAML download
-POSTGRES_OPERATOR_VERSION ?= v1.11.0
+POSTGRES_OPERATOR_VERSION ?= v1.14.0
 POSTGRES_OPERATOR_URL ?= https://raw.githubusercontent.com/zalando/postgres-operator/$(POSTGRES_OPERATOR_VERSION)/manifests
 POSTGRES_CRD_URL ?= https://raw.githubusercontent.com/zalando/postgres-operator/$(POSTGRES_OPERATOR_VERSION)/charts/postgres-operator/crds/postgresqls.yaml
 
@@ -238,8 +238,11 @@ localkube-teardown:
 	kind delete cluster --name svc
 
 localkube-install-crd-servicemonitor:
-	kubectl apply --kubeconfig ./kubeconfig-svc -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.45.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
-	kubectl apply --kubeconfig ./kubeconfig-svc -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.45.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+	kubectl apply --kubeconfig ./kubeconfig-svc -f https://raw.githubusercontent.com/prometheus-community/helm-charts/refs/tags/kube-prometheus-stack-65.5.1/charts/kube-prometheus-stack/charts/crds/crds/crd-servicemonitors.yaml
+	kubectl apply --kubeconfig ./kubeconfig-svc -f https://raw.githubusercontent.com/prometheus-community/helm-charts/refs/tags/kube-prometheus-stack-65.5.1/charts/kube-prometheus-stack/charts/crds/crds/crd-podmonitors.yaml
+
+localkube-install-crd-certmanager:
+	kubectl apply --kubeconfig ./kubeconfig-svc -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml
 
 localkube-reinstall-postgreslet: localkube-load-image
 	# helm repo add metal-stack https://helm.metal-stack.io # stable repo
 
@@ -16,7 +16,7 @@ import (
 
 	"regexp"
 
-	firewall "github.com/metal-stack/firewall-controller/api/v1"
+	firewall "github.com/metal-stack/firewall-controller/v2/api/v1"
 	zalando "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
@@ -27,7 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -370,13 +370,9 @@ func (p *Postgres) ToSharedSvcLB(lbIP string, lbPort int32, enableStandbyLeaderS
 
 	lbsr := []string{}
 	if p.HasSourceRanges() {
-		for _, src := range p.Spec.AccessList.SourceRanges {
-			lbsr = append(lbsr, src)
-		}
-	}
-	for _, scsr := range standbyClustersSourceRanges {
-		lbsr = append(lbsr, scsr)
+		lbsr = append(lbsr, p.Spec.AccessList.SourceRanges...)
 	}
+	lbsr = append(lbsr, standbyClustersSourceRanges...)
 	if len(lbsr) == 0 {
 		// block by default
 		lbsr = append(lbsr, "255.255.255.255/32")
@@ -467,13 +463,9 @@ func (p *Postgres) ToDedicatedSvcLB(lbIP string, lbPort int32, standbyClustersSo
 
 	lbsr := []string{}
 	if p.HasSourceRanges() {
-		for _, src := range p.Spec.AccessList.SourceRanges {
-			lbsr = append(lbsr, src)
-		}
-	}
-	for _, scsr := range standbyClustersSourceRanges {
-		lbsr = append(lbsr, scsr)
+		lbsr = append(lbsr, p.Spec.AccessList.SourceRanges...)
 	}
+	lbsr = append(lbsr, standbyClustersSourceRanges...)
 	if len(lbsr) == 0 {
 		// block by default
 		lbsr = append(lbsr, "255.255.255.255/32")
@@ -703,10 +695,10 @@ func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *cor
 	setSharedBufferSize(z.Spec.PostgresqlParam.Parameters, p.Spec.Size.SharedBuffer)
 
 	z.Spec.Resources = &zalando.Resources{}
-	z.Spec.Resources.ResourceRequests.CPU = pointer.String(p.Spec.Size.CPU)
-	z.Spec.Resources.ResourceRequests.Memory = pointer.String(p.Spec.Size.Memory)
-	z.Spec.Resources.ResourceLimits.CPU = pointer.String(p.Spec.Size.CPU)
-	z.Spec.Resources.ResourceLimits.Memory = pointer.String(p.Spec.Size.Memory)
+	z.Spec.Resources.ResourceRequests.CPU = ptr.To(p.Spec.Size.CPU)
+	z.Spec.Resources.ResourceRequests.Memory = ptr.To(p.Spec.Size.Memory)
+	z.Spec.Resources.ResourceLimits.CPU = ptr.To(p.Spec.Size.CPU)
+	z.Spec.Resources.ResourceLimits.Memory = ptr.To(p.Spec.Size.Memory)
 	z.Spec.TeamID = p.generateTeamID()
 	z.Spec.Volume.Size = p.Spec.Size.StorageSize
 	z.Spec.Volume.StorageClass = sc
@@ -719,7 +711,7 @@ func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *cor
 
 	// required with image ermajn/postgres-operator:v1.6.0-20-g1cc71663-dirty
 	// see https://github.com/fi-ts/postgreslet/issues/293
-	z.Spec.EnableConnectionPooler = pointer.Bool(false)
+	z.Spec.EnableConnectionPooler = ptr.To(false)
 
 	prefix := alphaNumericRegExp.ReplaceAllString(string(p.Spec.Tenant), "")
 	prefix = strings.ToLower(prefix)
@@ -779,7 +771,7 @@ func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *cor
 			S3Endpoint:        rbs.S3Endpoint,
 			S3AccessKeyId:     rbs.S3AccessKey,
 			S3SecretAccessKey: rbs.S3SecretKey,
-			S3ForcePathStyle:  pointer.Bool(true),
+			S3ForcePathStyle:  ptr.To(true),
 		}
 	} else {
 		// if we don't set the clone block, remove it completely
 
@@ -27,9 +27,9 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
-	firewall "github.com/metal-stack/firewall-controller/api/v1"
+	firewall "github.com/metal-stack/firewall-controller/v2/api/v1"
 	coreosv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -634,13 +634,10 @@ func (r *PostgresReconciler) updatePodEnvironmentSecret(log logr.Logger, ctx con
 	}
 
 	var s *corev1.Secret
-	ns := types.NamespacedName{
-		Name:      operatormanager.PodEnvCMName,
-		Namespace: p.ToPeripheralResourceNamespace(),
-	}
+	ns := p.ToPeripheralResourceNamespace()
 
-	if s, err = r.OperatorManager.CreateOrGetPodEnvironmentSecret(ctx, ns.Namespace); err != nil {
-		return fmt.Errorf("error while accessing the pod environment secret %v: %w", ns.Namespace, err)
+	if s, err = r.OperatorManager.CreateOrGetPodEnvironmentSecret(ctx, ns); err != nil {
+		return fmt.Errorf("error while accessing the pod environment secret %v: %w", ns, err)
 	}
 
 	s.Data = data
@@ -1089,7 +1086,7 @@ func (r *PostgresReconciler) checkAndUpdatePatroniReplicationConfig(log logr.Log
 				r.recorder.Eventf(s, "Warning", "Error", "failed to get referenced sync standby: %v", err)
 				synchronousStandbyApplicationName = nil
 			} else {
-				synchronousStandbyApplicationName = pointer.String(s.ToPeripheralResourceName())
+				synchronousStandbyApplicationName = ptr.To(s.ToPeripheralResourceName())
 			}
 			// compare the actual value with the expected value
 			if synchronousStandbyApplicationName == nil {
@@ -1217,7 +1214,7 @@ func (r *PostgresReconciler) httpPatchPatroni(log logr.Logger, ctx context.Conte
 					r.recorder.Eventf(s, "Warning", "Error", "failed to get referenced sync standby: %v", err)
 					synchronousStandbyApplicationName = nil
 				} else {
-					synchronousStandbyApplicationName = pointer.String(s.ToPeripheralResourceName())
+					synchronousStandbyApplicationName = ptr.To(s.ToPeripheralResourceName())
 				}
 			}
 			// enable sync replication
@@ -1693,7 +1690,7 @@ func (r *PostgresReconciler) createOrUpdatePatroniPodMonitor(ctx context.Context
 
 	pm.Spec.PodMetricsEndpoints = []coreosv1.PodMetricsEndpoint{
 		{
-			Port: podMonitorPort,
+			Port: ptr.To(podMonitorPort),
 		},
 	}
 	pm.Spec.NamespaceSelector = coreosv1.NamespaceSelector{
@@ -1920,6 +1917,10 @@ func (r *PostgresReconciler) ensureInitDBJob(log logr.Logger, ctx context.Contex
 	j.Name = ns.Name
 	j.Namespace = ns.Namespace
 
+	var uid int64 = 101
+	var gid int64 = 101
+	var ttl int32 = 180
+
 	var backOffLimit int32 = 99
 	j.Spec = batchv1.JobSpec{
 		Template: corev1.PodTemplateSpec{
@@ -1951,12 +1952,12 @@ func (r *PostgresReconciler) ensureInitDBJob(log logr.Logger, ctx context.Contex
 							},
 						},
 						SecurityContext: &corev1.SecurityContext{
-							AllowPrivilegeEscalation: pointer.Bool(false),
-							Privileged:               pointer.Bool(false),
-							ReadOnlyRootFilesystem:   pointer.Bool(true),
-							RunAsNonRoot:             pointer.Bool(true),
-							RunAsUser:                pointer.Int64(101),
-							RunAsGroup:               pointer.Int64(101),
+							AllowPrivilegeEscalation: ptr.To(false),
+							Privileged:               ptr.To(false),
+							ReadOnlyRootFilesystem:   ptr.To(true),
+							RunAsNonRoot:             ptr.To(true),
+							RunAsUser:                ptr.To(uid),
+							RunAsGroup:               ptr.To(gid),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},
@@ -1988,7 +1989,7 @@ func (r *PostgresReconciler) ensureInitDBJob(log logr.Logger, ctx context.Contex
 			},
 		},
 		BackoffLimit:            &backOffLimit,
-		TTLSecondsAfterFinished: pointer.Int32(180),
+		TTLSecondsAfterFinished: ptr.To(ttl),
 	}
 
 	if err := r.SvcClient.Create(ctx, j); err != nil {
 
@@ -8,7 +8,7 @@ package controllers
 
 import (
 	pg "github.com/fi-ts/postgreslet/api/v1"
-	firewall "github.com/metal-stack/firewall-controller/api/v1"
+	firewall "github.com/metal-stack/firewall-controller/v2/api/v1"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	zalando "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 
@@ -29,7 +29,7 @@ import (
 	pg "github.com/fi-ts/postgreslet/api/v1"
 	"github.com/fi-ts/postgreslet/pkg/lbmanager"
 	"github.com/fi-ts/postgreslet/pkg/operatormanager"
-	firewall "github.com/metal-stack/firewall-controller/api/v1"
+	firewall "github.com/metal-stack/firewall-controller/v2/api/v1"
 	zalando "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"